Administrator at 22:11, 17 February 2026

2026-02-17T22:11:43Z

imported>Aghanim at 12:44, 20 December 2023

2023-12-20T12:44:23Z

New page

[[File:2023-12-image-6.png|thumb]]

Work in Progress

== Courses ==

[https://institute.sektor7.net/ SEKTOR7 Institute]

[https://maldevacademy.com/ https://maldevacademy.com/]

EvasionEDR By Matt Hand

== Sources ==

{| class="wikitable"
|-
! URL
! Description
! Category
|-
| [https://github.com/NUL0x4C/HellShell https://github.com/NUL0x4C/HellShell]
| HellShell GitHub repository
| Penetration Testing
|-
| [https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/#weapon https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/#weapon]
| Exploit writing tutorial on Corelan.be
| Exploit Development
|-
| [https://www.corelan.be/ https://www.corelan.be/]
| Corelan.be website
| Cybersecurity
|-
| [https://github.com/Krypteria/AtlasLdr https://github.com/Krypteria/AtlasLdr]
| AtlasLdr GitHub repository
| Malware Analysis
|-
| [https://labs.jumpsec.com/obfuscating-c2-during-a-red-team-engagement/ https://labs.jumpsec.com/obfuscating-c2-during-a-red-team-engagement/]
| Article on obfuscating C2 during Red Team engagement
| Red Teaming
|-
| [https://github.com/matterpreter/DefenderCheck https://github.com/matterpreter/DefenderCheck]
| DefenderCheck GitHub repository
| Security Tools
|-
| [https://pinvoke.net/ https://pinvoke.net/]
| PInvoke.net - Platform Invoke for .NET
| Programming
|-
| [https://github.com/mkaring/ConfuserEx/releases/tag/v1.6.0 https://github.com/mkaring/ConfuserEx/releases/tag/v1.6.0]
| ConfuserEx GitHub repository (v1.6.0 release)
| Malware Analysis
|-
| [https://virusscan.jotti.org/en-US/scan-file https://virusscan.jotti.org/en-US/scan-file]
| Jotti's Virus Scan - File scanning tool
| Antivirus
|-
| [https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low]
| Article on direct syscalls in Red Teaming
| Red Teaming
|-
| [https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/]
| Raspberry Robin anti-evasion exploit analysis
| Exploit Analysis
|-
| [https://vanmieghem.io/process-injection-evading-edr-in-2023/ https://vanmieghem.io/process-injection-evading-edr-in-2023/]
| Article on process injection and EDR evasion
| Cybersecurity
|-
| [https://redsiege.com/blog/2023/04/evading-crowdstrike-falcon-using-entropy/ https://redsiege.com/blog/2023/04/evading-crowdstrike-falcon-using-entropy/]
| Evading Crowdstrike Falcon using entropy
| Evasion Techniques
|-
| [https://evasions.checkpoint.com/ https://evasions.checkpoint.com/]
| Check Point Evasions - Evasion techniques
| Evasion Techniques
|-
| [https://vx-underground.org/ https://vx-underground.org/]
| VX Underground - Malware and Exploit Community
| Malware Analysis
|-
| [https://unprotect.it/ Home - Unprotect Project]
| Search Evasion Techniques
| Evasion Techniques
|}

== x86 & x64 Assembler and Disassembler ==

Wondering what your shellcode is doing? This website will disassemble it for you and show the instructions.

[https://defuse.ca/online-x86-assembler.htm# Online x86 and x64 Intel Instruction Assembler]

[[File:2023-12-image-7.png|thumb]]

== Callback function list ==

[https://github.com/aahmad097/AlternativeShellcodeExec aahmad097/AlternativeShellcodeExec: Alternative Shellcode Execution Via Callbacks (github.com)]

>
According to Microsoft, a callback function is code within a managed application that helps an unmanaged DLL function complete a task. Calls to a callback function pass indirectly from a managed application, through a DLL function, and back to the managed implementation.

=== Example: Using CertEnumSystemStore ===

[https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certenumsystemstore MSDN Documentation for CertEnumSystemStore]

<syntaxhighlight lang="c">
#include
#include
#include

// Shellcode payload
unsigned char shellcode[] =
"\x90\x90\x90\x90" // NOPs for padding
"\xcc"; // INT 3 (breakpoint for debugging)

BOOL WINAPI Payload(const void *pvSystemStore, DWORD dwFlags, PCERT_SYSTEM_STORE_INFO pStoreInfo, void *pvReserved, void *pvArg) {
((void(*)())shellcode)();
return TRUE;
}

int main() {
if (!CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, Payload)) {
printf("[!] CertEnumSystemStore Failed With Error : %d \n", GetLastError());
return -1;
}
return 0;
}

</syntaxhighlight>

== Convert raw shellcode to raw binary format ==

Use CyberChef. Copy the shellcode to Cyberchef and choose "From Hex" as operations. Then save the output to .bin. This can be done the other way around also. From raw binary to shellcode.

[[File:2023-12-image-8.png|thumb]]

[[File:2023-12-image-9.png|thumb]]

== EDR Telematry ==

[https://docs.google.com/spreadsheets/u/0/d/1ZMFrD6F6tvPtf_8McC-kWrNBBec_6Si3NW6AoWf3Kbg/htmlview?pli=1 EDR Telemetry Tracking for Windows - Google Drive]

[https://docs.google.com/spreadsheets/d/e/2PACX-1vTwYjAK5x_9e_xA8UP83iTErnTmg4_JrHbEYrWLRGDcICpqw5hRAoLNNF6SCwQkQTVRyVMNsur7zy6t/pubhtml?gid=1993314609&single=true&widget=true&headers=false Embedded Content]

== EDR Telematry v2 ==

[https://www.edr-telemetry.com/windows.html EDR Telemetry Project - Windows]

== Entropy reduction ==

Reducing entroy makes the data appear less random. A high entropy might indicate encryption and some EDRs might raise suspicion. Some of the techniques to reduce entroyp is:

'''Encoding After Encryption''': Applying encoding like URL encoding reduces the range of characters used (e.g., using only alphanumeric characters and fewer symbols) while preserving the data's integrity. This limits the number of unique bytes, decreasing the perceived randomness.

'''Disguising the Encoded Payload''': After encoding, disguise the payload by embedding it into seemingly legitimate data, such as fake URLs, CSV files, or even certificates. This helps evade detection during analysis or reverse engineering.

'''Loader Decoding and Execution''': The loader should read and decode the disguised data, reverting it to its original form before execution.

== HijackLibs ==

[https://hijacklibs.net/ HijackLibs]

>
This project provides an curated list of DLL Hijacking candidates. A mapping between DLLs and vulnerable executables is kept and can be searched via this website. Additionally, further metadata such as resources provide more context.

== Joesandbox - Malware Analysis ==

Can analyze malicous websites and files. Collections available.

[https://www.joesandbox.com/#windows Automated Malware Analysis - Joe Sandbox Cloud Basic]

[https://www.joesecurity.org/ Deep Malware and Phishing Analysis - Joe Sandbox]

== Malapi.io ==

[https://malapi.io/ MalAPI.io]

MalAPI.io maps [https://docs.microsoft.com/en-us/windows/win32/apiindex/windows-api-list Windows APIs] to common techniques used by malware.

== No-defender ==

[https://github.com/es3n1n/no-defender es3n1n/no-defender: A slightly more fun way to disable windows defender + firewall. (through the WSC api) (github.com)]

== NtDoc - The native NT API online documentation ==

[https://ntdoc.m417z.com/ NtDoc - The native NT API online documentation (m417z.com)]

>
This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that I know of. I have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See <code>phnt.h</code> for more information.

== Parasite-invoke ==

[https://github.com/MzHmO/Parasite-Invoke MzHmO/Parasite-Invoke: Hide your P/Invoke signatures through other people's signed assemblies (github.com)]

>
Hide your P/Invoke signatures through other people's signed assemblies!

[[File:2024-06-image.png|thumb]]

== Reverse engineering of everything Microsoft ==

[https://www.geoffchappell.com/index.htm Geoff Chappell, Software Analyst]

Kernel, Win32, Shell, Internet Explorer, Visual C++.

== Vergilius project ==

[https://www.vergiliusproject.com/about Vergilius Project | About]

>
This project provides a collection of Microsoft Windows kernel structures, unionsand enumerations.

== Unprotect.it ==

[https://unprotect.it/ Home - Unprotect Project]

>
This project aims to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times.

[[File:2024-06-image-1.png|thumb]]

== [https://evasions.checkpoint.com/ Evasion techniques] ==

[https://evasions.checkpoint.com/ Evasion techniques (checkpoint.com)]

>
In this encyclopedia we have attempted to gather all the known ways to detect virtualized environment grouping them into big categories. Some categories are inactive on main page: it means that content will be added later. If it isn’t stated explicitly which operating system is described, Windows is meant by default.

[[File:2024-06-image-2.png|thumb]]

== Windows Icons ==

Windows Icon locations:

<syntaxhighlight lang="bash">
%systemroot%\system32\imageres.dll
%systemroot%\system32\shell32.dll
%systemroot%\system32\ddores.dll
%systemroot%\system32\pifmgr.dll
%systemroot%\explorer.exe
%systemroot%\system32\accessibilitycpl.dll
%systemroot%\system32\moricons.dll
%systemroot%\system32\mmcndmgr.dll
%systemroot%\system32\mmres.dll
%systemroot%\system32\netcenter.dll
%systemroot%\system32\netshell.dll
%systemroot%\system32\networkexplorer.dll
%systemroot%\system32\pnidui.dll
%systemroot%\system32\sensorscpl.dll
%systemroot%\system32\setupapi.dll
%systemroot%\system32\wmploc.dll
%systemroot%\system32\wpdshext.dll
%systemroot%\system32\compstui.dll
%systemroot%\system32\ieframe.dll
%systemroot%\system32\dmdskres.dll
%systemroot%\system32\dsuiext.dll
%systemroot%\system32\mstscax.dll
%systemroot%\system32\wiashext.dll
%systemroot%\system32\comres.dll
%systemroot%\system32\mstsc.exe
%systemroot%\system32\actioncentercpl.dll
%systemroot%\system32\aclui.dll
%systemroot%\system32\autoplay.dll
%systemroot%\system32\comctl32.dll
%systemroot%\system32\filemgmt.dll
%systemroot%\system32\ncpa.cpl
%systemroot%\system32\url.dll
%systemroot%\system32\xwizards.dll
</syntaxhighlight>

Iconfinder:

[https://www.iconfinder.com/search Icons - Iconfinder]

[[Category:Handbooks]]
[[Category:Malware Development]]

Handbook V - Maldev - Revision history

Administrator at 22:11, 17 February 2026

imported>Aghanim at 12:44, 20 December 2023